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Abstract. This paper defines a sound and complete semantic criterion, based on re- 
ducibility candidates, for strong normalization of theories expressed in minimal deduction 
modulo a la Curry. The use of Curry-style proof-terms allows to build this criterion on 
the classic notion of pre-Heyting algebras and makes that criterion concern all theories 
expressed in minimal deduction modulo. Compared to using Church-style proof-terms, 
this method provides both a simpler definition of the criterion and a simpler proof of its 
completeness. 



In 1936, Tarski was the first to formally exhibit a link between model theory and proof 
theory I24j . Model theory is the study of what is semantically true, via the study of 
algebraic structures. Whereas proof theory is the study of what is syntactically provable, via 
the study of logical systems. Tarski showed that we can deduce properties in the syntactic 
world from properties in the semantic world. In particular, he proved that consistency of 
a theory in first order logic is entailed by the existence of a model on some Boole algebra 
for that theory (i.e. a function, satisfying some properties, from the syntactic language to 
particular semantic objects). Consistency is a syntactic property that ensures that a theory 
does not contain any contradiction. If two propositions are contradictory, then there is at 
least one of them that we cannot prove in a consistent theory. Tarski's result shows that the 
existence of such a Boole-valued model forms a sound (semantic) criterion for (syntactic) 
consistency of first order theories. 

On the other hand, Godel had previously shown, in its completeness theorem [16], that 
we can also deduce semantic properties from syntactic ones. This theorem states that if a 
theory is consistent in first order logic, then one can build a Boole- valued model for that 
theory. Hence the existence of a Boole-valued model forms a sound and complete criterion 
for consistency of first order theories. This link in both directions between semantic and 
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syntactic worlds is a fundamental tool to study consistency of logic systems. For example, 
it allows to prove that the axiom of choice is independent from Zermelo-Fraenkel set theory 
(ZF). This means that adding the axiom of choice or its negation to the axioms of ZF 
does not change consistency. The idea of the proof is to first exhibit, by completeness and 
the hypothesis of syntactic consistency of ZF, a Boole-valued model of ZF in the semantic 
world. Then semantic tools can be used to transform it into a Boole-valued model of ZF 
with the axiom of choice, ZFC {resp. ZF with the negation of the axiom of choice, ZF-iC). 
Finally, it entails consistency of ZFC {resp. ZF-iC), by soundness. The ZF to ZFC part 
was proved by Godel [T7] while the ZF to ZF-iC part was proved by Cohen [2]. 

From a computer scientist point of view, consistency is not a sufficient property. Indeed, in 
order to define theories in which all (constructive) proofs can be machine-checked, a stronger 
property is needed, namely cut elimination, meaning that all proofs can be represented in 
a canonical cut-free way. 

Deduction modulo [H] is a generic way to integrate computation rules into a deduction 
system, such as natural deduction or sequent calculus. In this paper, we shall only con- 
sider the case of natural deduction. Deduction modulo can express theories with rewrite 
rules instead of axioms, {e.g. Peano arithmetic [14], higher-order logic |llj and Zermelo 
set theory |12j). Expressing axioms via rewrite rules allows to express the notion of an 
axiomatic cut through a combination of regular cuts, leading to a uniform notion for cuts 
and cut elimination. This gives a generic method to prove cut elimination for theories ex- 
pressed in natural deduction modulo, which consists in proving the strong normalization 
property for the corresponding proof-terms, via the proofs-as-programs paradigm (a.k.a. 
the Curry-Howard correspondence). In deduction modulo, if all proof-terms of a theory 
are strongly normalizing, then this theory satisfies the cut elimination property (and is 
moreover consistent in the case of constructive deduction modulo). 

In 1971, following the work of Tait [25], Girard developed an apparently syntactic method 
for proving strong normalization, called reducibility candidates |15j . The main idea of this 
method is to associate to each proposition A, a set of strongly normalizing proofs and then 
prove that this set contains all the proofs of A. This method has been extended to several 
logical frameworks. In particular, Dowek and Werner defined reducibility candidates for 
deduction modulo [13] . Their extension provides a sound criterion for strong normalization 
of theories expressed in deduction modulo. Dowek also defined pre-Heyting algebras [TO] 
and showed that reducibility candidates can be defined as a model valued on one of these 
algebras. He provided this way a semantic sound criterion for strong normalization of 
theories expressed in deduction modulo (when expressing proof-terms of deduction modulo 
with a system a la Church). 

Proof-terms a la Church differ from proof-terms a la Curry by the amount of information, 
concerning the proving derivation, that is kept in the corresponding proof-term. For ex- 
ample, in second-order logic, there are two type systems that capture the computational 
contents of cut elimination: Church-style system F [15] and Curry-style system F [22J. The 
latter differs from the former in that it does not keep track of introduction and elimina- 
tion steps of second-order quantification — and thus of the corresponding cuts. Surprisingly, 
it can be shown by purely combinatorial means (as opposed to semantic means) that the 
strong normalization property for Church-style system F is equivalent to the strong nor- 
malization property for its Curry-style variant. Church-style or Curry-style proof-terms can 
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indifferently be considered to prove the cut elimination property for second-order logic, and 
in practice, it is easier to prove the strong normalization property for Curry-style system F, 
which is based on notions of reducibility candidates that are technically easier to manip- 
ulate than the corresponding notions in Church's world. A similar situation exists more 
generally between all the Pure Type Systems pQ of the left-hand side of Barendregt's cube 
and the corresponding Type Assignment Systems [27] (their Curry-style equivalents); or for 
second-order functional arithmetic |21| . where both presentations coexist. In [7J, with A. 
Miquel, we proved that strong normalization of proof-terms a la Church and proof-terms a la 
Curry are equivalent for a large class of theories (non- confusing theories, see definition [LT6]) 
expressed in minimal deduction modulo (deduction modulo where the language of propo- 
sitions uses implication as the only connective and (first-order) universal quantification as 
the only quantifier) . 

The general purpose of my work is to define a sound and complete semantic criterion 
for strong normalization of theories expressed in minimal deduction modulo. In a previous 
paper [1] (see also [5]), I extended the notion of pre-Heyting algebra and tuned the definition 
of reducibility candidates to obtain a sound and complete semantic criterion for strong 
normalization of non- confusing theories expressed in minimal deduction modulo a la Church. 
Considering proof-terms a la Church brought a lot of difficulties, in particular because 
the classic notion of pre-Heyting algebras cannot be used. This paper considers minimal 
deduction modulo a la Curry. It provides a stronger result since it also applies to confusing 
theories. Moreover, using Curry-style deduction modulo allows to use the classic notion of 
pre-Heyting algebra, simplifying this way both the concept of those complete reducibility 
candidates and their proof of completeness. 

This paper is organized as follows: in section 1, we first define minimal deduction modulo a 
la Church and a la Curry. Section 2 presents the concept of reducibility candidates and how 
to define them as a model valued on a pre-Heyting algebra (for minimal deduction modulo) . 
In section 3, we explain how to tune the usual definition of reducibility candidates in order 
to obtain completeness while keeping soundness for strong normalization. And finally, 
section 4 formally defines this new notion of reducibility candidates as a model valued on a 
pre-Heyting algebra, and proves that it provides a sound and complete semantic criterion 
for strong normalization of theories expressed in minimal deduction modulo a la Curry 
(theorem I4.14|) . 



1. Minimal deduction modulo 

As in first-order logic, the language of a theory in deduction modulo [23] is obtained from a 
signature defining a set of function symbols and a set of predicate symbols given with their 
ranks, or arities. For convenience, we shall only consider the case of mono-sorted theories. 
We are convinced that results of the present paper trivially extend to many-sorted theories. 
In minimal deduction modulo, propositions are then built-up from predicates, with the only 
connective =4> and the only quantifier V. 

Given a language of terms and propositions, a theory in deduction modulo is defined not 
by a system of axioms, but by a system of rewrite rules on terms and propositions. Since in 
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this paper we are not interested in the rewrite system itself, but only in the congruence that 
it generates, we shall more generally work with an arbitrary congruence over propositions. 

Once the congruence over propositions has been fixed, the principle of deduction modulo 
consists in adapting deduction rules of natural deduction by allowing a proposition to be 
replaced by any congruent proposition at each deduction step. 

1.1. Theories in minimal deduction modulo. 

In this section, we present the definitions for the syntax of minimal deduction modulo (with 
proof-terms a la Curry or a la Church) and some basic properties. 

Definition 1.1 (Terms and propositions). 

Given an infinite set of term variables (notation: x, y, z, etc.) as well as a first-order 
signature defining a set of function symbols (notation /, /', etc.) and a non-empty set of 
predicate symbol^] (notation: P, P', etc.), each function or predicate symbol being given 
with a natural number called its rank, or arity, the formation rules for terms and propositions 
are the usual ones: 

• If a; is a variable, then x is a term. 

• If / is a function symbol of rank n, and t\, . . . , t n are terms, 
then f(ti, . . . ,t n ) is a term. 

• If P is a predicate symbol of rank n, and t±, . . . ,t n are terms, 
then P(ti, . . . , t n ) is an (atomic) proposition. 

• If A and B are propositions, then so is A =>- B. 

• If a; is a variable and A is a proposition, then Mx.A is a proposition. 

As usual, propositions are considered modulo a-conversion on term- variables. We call free 
the term-variables of a proposition that are not bound by a universal quantification. The 
set of free term- variables of a proposition A is written FV(A). The operation of (capture 
avoiding) substitution is defined as usual, and given terms t, u and a proposition A, we 
denote by (u/x)t (resp. (u/x)A) the term (resp. the proposition) obtained by replacing every 
(free) occurrence of the variable x by the term u in the term t (resp. in the proposition A). 

Definition 1.2 (Congruence relation). 

Given a first order signature, a theory is defined by a congruence = over propositions 
i.e. an equivalence relation such that for all term-variables x and propositions A, A' ,B,B' , 

• If A = A' and B = B', then A => B = A' => B' . 

• If A = A', then Vx.A = Mx.A'. 

We now present two different systems of proof-terms for minimal deduction modulo, de- 
pending on the amount of information we keep from the derivation. Both are formed from 
an auxiliary set of proof-variables, written a, f3, 7, etc. 

Definition 1.3 (Proof-terms a la Church). 

The Church-style proof-terms system for minimal deduction modulo contains two forms of 



We need to assume that the set of predicate symbols is not empty to ensure that the language of 
propositions generated from the signature is not empty. 
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A-abstraction (one for introducing implication and one for introducing universal quantifi- 
cation) and two forms of application (for the corresponding eliminations). Formally, the 
proof-terms (notation: tt, tt', etc.) are defined by: 

tt ::= a Xa.TT tttt Xx.tt irt 

Notice that the first form of A-abstraction binds a proof-variable whereas the second form 
binds a term variable. 

Definition 1.4 (Proof-terms a la Curry). 

The Curry-style proof-terms system does not keep track anymore of the introductions and 
eliminations of universal quantifications. As a consequence, proof-terms are just pure A- 
terms: 

tt ::= a Xa.TT tttt 

We call neutral those proof-terms which are not A-abstractions. This notion of neutrality is 
fundamental in the definition of reducibility candidates. 

Definition 1.5 (Neutral proof-terms). 

Neutral proof-terms are proof-terms of the form: 

• a, tttt' or tt t in Church style, 

• a or tttt' in Curry style. 

Definition 1.6 (Substitution). 

For both systems, the operation of (capture avoiding) substitution is defined as expected. 
In Church-system, we denote by {t/x)TT the proof-term obtained by replacing every free 
occurrence of the first-order variable x by the first-order term t in the proof-term tt. In 
both Church-system and Curry-system, we denote by (tt 1 /ol)tt the proof-term obtained by 
replacing every free occurrence of the proof-variable a by the proof-term tt' in the proof- 
term TT. 

We now define the type systems corresponding to those two proof-terms systems (notice 
that we will use indifferently the words typing and deduction from now, via the proofs-as- 
programs paradigm). 

Definition 1.7 (Typing contexts). 

A typing context, is a finite list of the form ai : A\, . . . , a n : A n where a±, . . . , a n are 
pairwise distinct proof- variables, and where A\,...,A n are arbitrary propositions. 
Given a typing context r = or : A 1 , . . . , a n : A n , we write FV(T) = FV(Ai)U- ■■UFV(A n ). 
For all contexts T and V, we write T C r' when (a : A) € T implies (a : A) € V for all 
declarations (a: A). 

The typing rules for systems a la Church and a la Curry are given in Fig. [TJ These typing 
rules are the usual typing rules of natural deduction (for minimal predicate logic) adapted 
to the framework of deduction modulo, so that a proposition can always be replaced by a 
congruent proposition at each step of the derivation. For example, from a context containing 
a proposition A, the axiom rule permits to derive any proposition A' that is congruent to A, 
and not only A. 

We prove now some basic properties of the two typing systems presented in Fig. [TJ 
Lemma 1.8 (Weakening). IfT h tt and T C T' , then F h tt. 

Proof. By induction on the derivation of T h tt. □ 



6 



D. COUSINEAU 



AXIOM 


Curry, Church 


= j-i H A = B 

1 , a : At- a : B 


=>■ -ELIM 


Curry, Church 


r h vr : C r' h vr' : A 
IT' h (vr vr') : S 


=> -INTRO 


Curry, Church 


T,q : A h vr : B 

— C = A^B 

T h Aa. vr : C 


V-ELIM 


Church 


r h vr : £ 

— — - B = Mx.A, C = (t/jiM 

1 r vr t : G 


Curry 


T h vr : B 

B ~ Vx.A, C ~ (tlx) A 

r h vr : C 


V-INTRO 


Church 


r h vr ■ A 

—— : B = Vx.A, x FV{V) 

1 h Ax.vr : B 


Curry 


T h vr : A 

— B = Vx.A, x f£ FV(T) 

1 h vr : B 



Figure 1: Typing rules 



Lemma 1.9 (Substitutivity). 

(1) IfTi,a : A,T 2 h vr : B andTi h vr' : A, then Ti,T 2 h (vr'/a)vr : J3. 

(2) In Church-style system, if T \- tt : A, then (t/x)T h {t/x)TX : (i/x)^4. 

(3) In Curry-style system, if V \- tt : A, then (t/x)T h vr : (t/x)A. 
(where t is an arbitrary first-order term). 

Proof. Item 1 is proved by induction on the derivation of T\,a : A, T 2 \~ tt : B using 
Lemma 11.81 in the case of the axiom rule. Items 2 and 3 are proved by induction on the 
derivation of T h vr : A. □ 



1.2. /3-reduction and strong normalization. 

This section is devoted to the definitions of /3-reduction and strong normalization for both 
systems. /3-reduction is a computation rule on proof-terms that simulates the elimination 
of cuts. And strong normalization is the property that ensures that all sequences of /3- 
reductions from a proof are finite, leading to the property of cut elimination. 

Definition 1.10 (/3-reduction). 

The relation of /3-reduction is defined as the contextual closure of the following rules: 

• (Aa.vr)vr' — > (vr'/a)vr and (Ax.vr)i — > (i/x)vr in Church-style 

• (Aa.vr)vr' (vr'/a)vr in Curry-style. 



ON COMPLETENESS OF REDUCIBILITY CANDIDATES 



7 



We can see from this definition that /3-reduction models both =>-cuts and V-cuts in the 
system a la Church, while it only models =^-cuts in the system a la Curry. However, 
the strong normalization of a proof-term corresponding to a purely logical derivation of a 
sequent r h A does not depend [7j on whether we construct this proof-term a la Church or 
a la Curry when considering non-confusing theories (see section [L3l for the definition). 
As usual, we write tt — >* tt' (resp. tt — > + tt') if tt reduces to tt' in zero or more steps of 
/3-reduction (resp. in one or more steps of /3-reduction). 

Both systems defined above satisfy the subject reduction property w.r.t. the corresponding 
notion of /3-reduction (i.e. /3-reducing a term does not break well-typedness). 

Lemma 1.11 (Subject reduction). 

In both systems, ifT\-n:A and tt — > tt' , then V h tt' : A. 

Proof. By induction on the derivation of V h tt : A using Lemma 11.91 □ 

We now formally define, for both systems a la Curry and a la Church, the strong normal- 
ization property: the fact that /3-reduction terminates. 

Definition 1.12. Given a proof-term tt, 

- a finite reduction sequence starting from tt is any finite sequence (7Tj)o<i<n (n > 0) such 
that ttq = tt and tti — >• 7Tj+i for all < i < n. The natural number n > is then called 
the length of the sequence (7Tj)o<j< n ; 

- an infinite reduction sequence starting from tt is any infinite sequence (7ri)i g pj such that 
ttq = tt and tti — > tt^i for all i € N. 

The set of all finite reduction sequences starting from a given proof-term tt naturally forms 
a tree, which is called the reduction tree of the term tt. This reduction tree may be finite or 
infinite, but it is always finitely branching since each proof-term has only a finite numbers 
of 1-reducts. 

Definition 1.13 (Normal forms). 

We say that a proof-term tt is in normal form if there is no proof-term tt' such that tt — > tt' '. 

Equivalently, a proof-term tt is in normal form if and only if its reduction tree is reduced to 
a singleton. 

Definition 1.14 (Strongly normalizing proof-terms). 

We say that a proof-term tt is strongly normalizing if one of the following equivalent condi- 
tions holds: 

(1) The reduction tree of tt is finite. 

(2) There is no infinite reduction sequence starting from tt. 
The set of all strongly normalizing terms is written SN . 

And we say that a theory in minimal deduction modulo is strongly normalizing if all its 
(well-typed) proof-terms are strongly normalizing. 
Definition 1.15 (Strongly normalizing theories). 

We say that the theory is strongly normalizing if for all contexts T, for all propositions A 
and for all proof-terms tt, T h tt : A entails that tt is strongly normalizing. 
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Minimal deduction modulo allows to express both strongly normalizing and not strongly 
normalizing theories. For example, the theory defined by an empty signature and the trivial 
congruence relation (propositions are only congruent to themselves) is strongly normalizing 
since well-typed proof-terms of usual natural deduction do terminate. On the other side, 
whenever two propositions of the form A and A B are congruent in a theory, this theory 
is not strongly normalizing. Indeed, in that case, we have: 

a : A h a : A a : A h a : A => B 

j-r- 5 -elim 

a : A\- aa : B 

- -intro 



a : A\- Xa.aa : A B 



And we also have a : A h Xa.aa : A since A = A B . Hence a : A h (Xa.aa) (Xa.aa) : B, 
using the ^-elimination rule. But the proof-term (Xa.aa) (Xa.aa) is not strongly normal- 
izing since it reduces to itself in one step of /3-reduction. 



1.3. On confusing and non-confusing theories. 

Now that we have defined how to express theories in minimal deduction modulo a la Curry 
and a la Church, let us focus on the particularly interesting property of confusion, concerning 
the congruence relation defining some theory. 

Definition 1.16 (Confusion). 

A congruence relation = is said to be confusing, if it identifies two non-atomic propositions 
starting with a different top-level connective or quantifier. In minimal deduction modulo, 
this means that there exists propositions A, B, C such that A =>• B = Mx.C . 

An example of rewrite rule leading to a confusing theory is \/x.(A =>■ B) — > A => Mx.B. 
This sort of rewrite rule exhibits a major difference between expressing theories in minimal 
deduction modulo a la Church and a la Curry. Indeed, given a theory, adding that rewrite 
rule to the rewrite system defining =, does change provability in Church-system whereas it 
does not in Curry-system (if x is not free in A). 

• In Church system, this rule is not admissible: if the rewrite system is empty, Xa.tr (with 
7r a proof of Mx.B when a is a proof of A) is a proof of A Vx.B and it cannot be a 
proof of of a universally quantified proposition, in particular ^x.(A => B). 

• But in Curry system, all proofs of A => \/x.B are proofs of A =>■ B (since all proofs of\/x.B 
are proofs of (x/x)B), and, by the same reasoning, they are also proofs of \/x.(A =>- B). 

With Alexandre Miquel, we explored, in [7], the relation between strong normalization of 
a theory, when expressed a la Curry or a la Church. We proved that in the case of a 
non-confusing theory, strong normalization is equivalent in systems a la Church and a la 
Curry. And we also proved that in all cases strong normalization a la Curry entails strong 
normalization a la Church for a given theory. 

Theorem 1.17 (Church and Curry strong normalization [7]). 
Let us consider a theory in minimal deduction modulo, 

• if it is non- confusing then it is strongly normalizing in Curry style if and only if it is 
strongly normalizing in Church style. 

• in all cases, if it is strongly normalizing in Curry style then so is it in Church style. 
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Notice that the author conjectures that for confusing theories, strong normalization is also 
equivalent in systems a la Church and a la Curry. See the discussion in the conclusion. 



2. REDUCIBILITY CANDIDATES AND PRE-HEYTING ALGEBRAS 

As explained before, strong normalization is an essential property for logic systems. Girard 
extended Tait's convertibility method to define reducibility candidates, which provides a 
general method to prove strong normalization. 

2.1. Concept of reducibility candidates. 

This section is devoted to introduce the concept of reducibility candidates, by explaining 
the key point of such proofs of strong normalization, in order to understand how reducibil- 
ity candidates can be modified to get completeness while keeping soundness (for strong 
normalization) . 

The main idea of reducibility candidates is to associate to each proposition A, a set of 
proof-terms called TZa containing only strongly normalizing proof-terms and then prove the 
adequacy lemma, which entails strong normalization of the considered logical framework. 

The adequacy lemma states that if ir is a proof of A (in a context T) then it belongs to 
TZa and is therefore strongly normalizing. 

The proof of the adequacy lemma is done by induction on the length of the typing derivation 
r h 7r : A, by case on the last rule used in this derivation. Therefore reducibility candidates 
have to be modeled on typing rules as we see in the following. Let us describe how to 
define those reducibility candidates in the case of the simply-typed A-calculus (i.e. minimal 
predicate logic without universal quantification) in order to prove this adequacy lemma. 
We reason by case on the last rule used in the typing derivation T h tt : A which can be one 
of the three following typing rules: 

a : A GT T,a : Ah tt : B V h tt : A B rhvr':^ 

r=n t axiom r=- — ^ n ft =>-intro — ; k — „ =>-elim 

T\- a: A T h Xa.n : A B T h (tt tt ) : B 

To handle the =>-intro case, we actually need a more precise formulation of this lemma as: 
if r h tt : A then if a is a substitution such that for all variables a declared proof of B 
in r, aa € TZb, then an £ TZa (notice that in this case, if such a substitution a exists, 
then 7r € SN since air € SN). For convenience, we call adequate such substitutions in the 
following. 

Let us describe the scheme of the proof of this adequacy lemma, in order to bring up the 
different properties of reducibility candidates. Remind that we reason by case on the last 
rule used in the typing derivation V h tt : A 

• If the last rule used is axiom, we conclude by hypothesis on a. 
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• If the last rule used is =4>-eZzm, then tt is of the form 7Ti7T2 and there exists a proposition 
B such that r h tt\ : B =>• A and T h 7T2 : i? (both with shorter derivations). Let cr be an 
adequate substitution (for T), we know by induction hypothesis that ott\ G TZb^a and 
(T7T2 € 7&B- To conclude, it is therefore convenient to make another assumption about 
those reducibility candidates: the fact that for all propositions C and D, the set TZq^d 
contains exactly all proof-terms which lead all elements of TZc to elements olTZo- 

• The last case is a little bit trickier: if tt = Aa./i and A = B => C, then we know by 
induction hypothesis that for all v G 7£s, a(u/a)fi G T^-c* (since <j{v/a) is adequate). 
But in order to conclude, we need to prove that its /^-expansion, the neutral proof-term 
a((\a.fi) v), is also in TZc- This leads to make another assumption on the sets TZd, for 
all propositions D: we suppose that if a proof-term is neutral and all its /3-reducts are 
in TZd then it is also in TZd- Notice that we make an assumption on all /3-reducts of a 
neutral term, not on only one /3-reduct, since we want this property to be compatible 
with strong normalization. In our case, since /3-reductions can also appear in Xa.fi and 
in v, we can conclude by making a last assumption on the sets TZd, for all propositions 
D: they are stable by /3-reduction. 

In sum, we define as reducibility candidates for the simply typed A-calculus, the functions 
TZ, from propositions to sets of proof-terms such that: 

- For all propositions A, TZa satisfies the so-called (CRi), (CR2) and (CR3) properties: 

(CRi) TZ A C SN 

(CR 2 ) if tt G TZa and it -)• tt' then it' G TZa 

(CR3) if 7r is neutral and TZa contains all its one-step /3-reducts, then tt belongs to TZa 

- For all propositions A and B, 

TZa^b = {tt such that for all \i G TZa-, tta 4 ^ TZb}- 

Since we are able to define such a set of reducibility candidates for all propositions (by 
associating the set SN to atomic propositions and using the property above as an inductive 
definition for the other propositions), we can conclude, via the adequacy lemma, that the 
simply-typed A-calculus is strongly normalizing. 

Notice finally that reducibility candidates cannot be empty because of the (CR3) property 
(non-emptiness is needed to build an adequate substitution for the contexts considered in 
the adequacy lemma). All normal neutral proof-terms, such as variables, have no /3-reduct 
and are therefore in all reducibility candidates. 

2.2. Soundness for strong normalization. 

To understand why this notion of reducibility candidates can be seen as a sound criterion 
for strong normalization, let us consider a very simple logical framework: the simply-typed 
A-calculus modulo. Applying the concept of deduction modulo, the simply typed A-calculus 
can be extended by considering a congruence = on propositions, and authorizing to identify 
=-equivalent propositions in typing derivations. This leads to consider the following adapted 
typing rules: 



a : A G T 
r h a : B 



A = B 



r,q : A h tt : B 
r h Xa.TT : C 



C = A^B 



rh7r:C T \~ tt' : A 
T h (tt tt') : B 



C = A^B 



ON COMPLETENESS OF REDUCTIBILITY CANDIDATES 



11 



In this logical framework, we can express strongly normalizing and non-strongly normalizing 
theories. For example, if we consider an atomic proposition A, the congruence generated by 
the rewrite rule A — > A expresses a strongly normalizing theory (remind that this rewrite 
rule concerns propositions and not proof-terms). Whereas the congruence generated by the 
rewrite rule A — > A => A expresses a non strongly normalizing theory (since in this case, 
the non-normalizing proof-term (\a.aa)(\a.aa) is a proof of ^4). 

In order to continue to be modeled on typing, since =-congruent propositions are identified 
in typing rules, reducibility candidates for this logical framework have to satisfy another 
property: the fact that if A and B are two =-congruent propositions then 1Z a = TZb- This 
is the idea of pre-models [13] which are the extension of the notion of reducibility candidates 
to deduction modulo. Provided this additional property, the proof of the adequacy lemma 
can be directly transposed to the simply typed A-calculus modulo. Given a theory, the 
ability to build such a set of reducibility candidates (pre-model) via the method presented 
in the section 12.11 is lost in general because of this last property. And the existence of a 
pre-model provides a sound criterion for strong normalization of theories expressed in this 
logical framework. 

2.3. Semantic definition of reducibility candidates a la Church. 

In [10], Gilles Dowek gave a semantic definition of this notion of pre-models, by defining the 
notion of pre-Heyting algebra (also kwown as truth values algebra), on which pre-models 
can be defined as models. We only define here the restriction of pre-Heyting algebras to 
minimal deduction modulo a la Church. 

Definition 2.1 (pre-Heyting algebra). 

Let B be a set, < be a relation on B, A be a subset of p(B), ^ be a function from B x B 
to B and V be a function from A to B, the structure B = (B,<,A,=5-,V) is said to be a 
pre-Heyting algebra if 

• the relation < is a pre-order, 

• for all a G B and A € A, a =4> A is in A, 

• V is an infinite greatest lower bound for <, 

(For A £ A and a € B, we write a =4* A for the set {a =4> b, for b £ A}.) 

Let us now define the notion of model valued on a pre-Heyting algebra. 
Definition 2.2 (i3-valued structure). 

Let C = (fi,Pj) be a first-order signature and B be a pre-Heyting algebra, a B-valued 
structure M. = (M, B, fi, Pj) for the first order signature £, is a structure such that each fi 
is a function from M n to M where n is the arity of the function symbol fi and each Pj is 
a function from M n to B where n is the arity of the predicate symbol Pj. (We may call M 
the term-model in the following.) 

Definition 2.3 (Environment). 

Given a set ^-valued structure M = (M,B, fi,Pj) , an environment is a function which 
leads each term-variable to an element of M. 
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Definition 2.4 (Interpretation). 

Let B be a pre-Heyting algebra, M be a £>-valued structure and </> be an environment. The 
interpretations \t\^ of a term i in A4 and [[A]]^ 1 of a proposition A in M. are defined as 
follows 

• M$ l = <t>(x), 

. [/(il,...,in)lf 1 = /(pl]^,...,[inli 4 ), 
. [A =* B\f = IA}M * \B\^, 

• fix A}^ = V {[^]^+{x,e> | e G M} when it is defined. 



Remark 2.5. We omit M from [L4J^ / ' when it is clear from context. 

In all the pre-Heyting Algebras we consider in this paper, A at least contains all the sets 
of the form {[-A]<^+(x,e) I e £ M} so that [Vx.-AJ^ is always defined. 

The following lemma comes for free with the previous definition that builds the interpreta- 
tion of a proposition, inductively from the first order signature, given a B- valued structure. 

Lemma 2.6. For all propositions A and environments (j), \{t/x)A\ ( j ) = M-] <£+ (a, [*],*)■ 

Proof. By structural induction on A and u. □ 

This lemma shows a fundamental property concerning interpretations of term-substituted 
propositions. It is important to notice that in section [3l when we propose another way to 
define interpretations of propositions, we shall need to add this property directly in our 
definition of models, whereas it is not the case presently. 

A model is a ^-valued structure such that the associated interpretation identifies congru- 
ent propositions of the considered theory (it its original statement a model also identifies 
congruent terms, but this is of no interest for the present paper). 

Definition 2.7 (Model). 

The B- valued structure A4 is said to be a model of a theory (£, =) if for all propositions A 
and B such that A = B, for all environments </>, [A]^ = [-Bj^. 

Finally we present the definition of the pre-Heyting algebra of reducibility candidates and 
state that the existence of a model valued on this algebra is a sound semantic criterion for 
strong normalization of theories expressed in minimal deduction modulo (notice that the 
original theorem concerns whole deduction modulo a la Church |10|). 

Definition 2.8 (The algebra of reducibility candidates). 

The domain of the algebra is C the set of reducibility candidates (i.e. the set of sets of 
proof-terms which satisfy (CRi), (CR2) and (CR3)). 

The C-valued structure M = {M, C, fi, Pj) is composed of M the set of terms, each /j is the 
function symbol fi itself and each Pj is the constant function leading all tuples of terms to SN. 
The set A is p(B). 
< is inclusion. 

For all a, b € C, a^>b is defined as the set of proof-terms 7r such that for all fj, G a, tt/j, G b. 
For all A G A, VA is the set of proof-terms tt such that for all terms t and a G A, tt t G a. 
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Theorem 2.9 (Soundness [331 ED]). 

If a theory in minimal deduction modulo has a C-valued model then it is strongly normal- 
izing. In other words, the existence of a C-valued model is a sound criterion for strong 
normalization of a theory in minimal deduction modulo (a la Church). 

Proof. The proof of that theorem consists in proving the (right form of) adequacy lemma 
presented in section (see !2.ip . □ 



2.4. On the interpretation of universal quantification. 

The previous definition, of reducibility candidates as C-valued models, leads to interpret a 
proposition Mx.A as: 

[Vx.^ = V{[A]^ +(a!it) | t <G M} 

= {ir such that for all terms t\, t2, nti € [^4]</>+(x,t 2 >} 

= {ir such that for all terms t\, t<i, nti € [^/a^A]^}. 

This definition does not capture exactly the V-elim rule. Indeed it is too restrictive since 
t± and t2 are not synchronized. For example, if we consider the theory of natural numbers, 
we could imagine a proof of Vx, x > 0, which does not gives a proof of ti > when applied 
to t2, a term different from t\. This sort of proof would not belong to [Vx, x > Oj^,. This 
causes difficulties to prove completeness of C-valued models as such. In the following, we 
present two solutions. The first one consists in making more precise this interpretation but 
this necessitates to extend the notion of pre-Heyting algebra. And the second one considers 
proof-terms a la Curry. 



3. Toward completeness 

We have seen that reducibility candidates provide a sound criterion for strong normalization 
of theories expressed in minimal deduction modulo. In order to prove that it also forms 
a complete criterion, one has to prove that whenever a theory is strongly normalizing, it 
is possible to build a model valued on reducibility candidates (C) for that theory. The 
method we use is closer to Henkin's proof [18] of completeness of Boole-valued models for 
consistency in first order logic, than to Godel's one [16j since it consists in directly building 
that reducibility candidates model from the hypothesis of strong normalization. 
How to use that hypothesis of strong normalization? A possibility is to consider well-typed 
proof-terms, i.e. first associate to each ordered pair of a proposition and an environment 
the set of proof-terms that are proofs of that proposition (in some context). And second, 
prove that it forms a reducibility candidate when the theory is strongly normalizing. We 
shall see that this naive idea does not apply as such, but it brings up a new manner to define 
models valued on a pre-Heyting algebra. The usual way, that was presented in section 
is to define the interpretation only on atomic propositions, and then obtain its value on 
non-atomic propositions by using =4> and V as inductive definitions. This way, the only 
needed property to obtain a model is the fact that interpretations of congruent propositions 
are equal (we shall say adapted to the congruence). The other way we propose consists in 
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defining more generally interpretations as functions from ordered pairs of a (not necessarily 
atomic) proposition and a environment to elements of the domain of the considered algebra. 
This way, models are defined as interpretations 

(1) which are adapted to the congruence, 

(2) which satisfies the property of lemma [276], namely the substitution property, 

(3) and such that the interpretation of A => B is the value of =4> applied to the inter- 
pretations of A and B, and the analog property for V (we shall say adapted to the 
connectives). 

As we shall see in the following, defining an interpretation adapted to the congruence by 
definition and then proving that it is also adapted to the connectives, may be simpler 
than the opposite. It is the reason why we propose those slightly different definitions of 
interpretations and models, which emphasize that models can be built in a different way 
from the usual one. Notice that we give a simplified definition since we shall only consider 
models based on a term-model equal to the set of terms defined by the considered first order 
signature. 

Definition 3.1 (Environment (2)). 

Environments are now functions from term- variables to terms (i.e. substitutions). 
Definition 3.2 (Interpretation (2)). 

Given a pre-Heyting algebra B, a B-valued interpretation is a function which leads all ordered 
pairs of a proposition and a environment to an element of B. 

Let T be a theory expressed in minimal deduction modulo, given by a first order signature 
and a congruence relation =. 

Definition 3.3 (Model (2)). 

We write M the set of terms of T. 

Let B = (B,<,A, =4>, V) be a pre-Heyting algebra. 

A ,6-valued interpretation (leading propositions A and environments 4> to J-AJaf) is a model 
of the theory T if and only if for all environments 4>, propositions A, B terms t and term- 
variables x, 

- it is adapted to the connectives, i.e 



- it satisfies the substitution property, i.e l(t/x)A}^ = {AJ^ + , t > 

- it is adapted to the congruence, i.e if A = B then [.A]]^ = P?]jf 

Let us now see how to tune the usual definition of reducibility candidates to obtain com- 
pleteness for strong normalization. 



(1) [A=>BJ 

(2) IVx.AW 



M _ 
4> ~ 
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3.1. On the (CR3) property. 

As previously mentioned, the way we use the strong normalization hypothesis is to consider 
first well- typed proof-terms, by interpreting a proposition by its proofs (in some context). 
Notice that such an interpretation is obviously adapted to the congruence since the sets of 
proofs of two equivalent propositions are equal. But such sets of well-typed proofs cannot 
satisfy (CR3) since all sets of proof-terms satisfying (CR3) contain ill-typed proof-terms. 
For example, aa is neutral and normal hence it belongs to all reducibility candidates. But 
if aa is well-typed in a theory then so does (Xa.aa)(Xa.aa) which is not normalizing and 
therefore cannot be well-typed in a strongly normalizing theory (as seen in the end of section 

Since we want to avoid ill-typed proof-terms like aa from our new reducibility candidates, 
we make a first restriction on the (CR3) property leading to, for some set E of proof-terms: 

(CR3a UX ) if a proof-term is neutral, not normal and all its one-step reducts belong to E 
then it also belongs to E. 

This way, (CR3 aux )-extensions of proofs of a proposition are proof-terms such that all re- 
duction sequences from it eventually reach a proof of that proposition. 
But if we simply define the interpretation of a proposition as the (CR3 aux )-extension of 
proofs of that proposition, we do not get a interpretation adapted to the connective =>■. 
Indeed, in that case, if n belongs to the interpretation of a proposition B (let us write it 
\E\ without considering environments for the moment) and ir is not a proof of B then tt 
is a (CR3 aux )-extension of a proof of B, and for all proof-variables a, not free in ir, Xa.ir 
belongs to [A]=^-[B] but not to \A => BJ (with the usual of reducibility candidates). 

• For all 7r' £ [L4J, one can prove that all reducts of the neutral proof-term (A<x7r)7r' belong 
to B by induction on the lengths of the maximal reductions sequence from ir and ir' , and 
the fact that the head-reduct {ir 1 /a)ir = ir G fBj. Hence ir belongs to [A]^[.BJ. 

• But if ir is not a proof of B then Xa.ir is not a proof of A B and (CR3 aux ) cannot 
prove that Aa.Tr belongs to \A BJ since Xa.ir is not neutral. 

Hence \A BJ 7^ |A[ =4> , i.e. [.]] is not adapted to the connectives. 
In order to get connectives adaptation, we propose to relax this (CR3 aux ) property by 
authorizing those "neutral not normal expansions" not only one by one at the root of the 
syntax tree representing a proof-term, but simultaneously at different nodes of that tree. 
This leads to the following definition: 

(CR 3 ) for all n 6 N, for all proof-terms v,fa,..., p, n , if 

- for all i <n, fa is neutral and not normal, 

- for all proof-terms pi, . . . , p n such that for all i < n, fa — >■ pi, we have \pija^\iV € E 

then we have [fa/ai]iV £ E. 

where \p,i/ai\iV denotes the sequence of substitutions with capture of ai by fa for < i < n. 

With this definition, if tt is a (CR 3 )-expansion of a proof of B (in some context) and a is 
a proof-variable not free in tt, then Xa.n is a (CR 3 )-expansion of a proof of A => B (in the 
same context) (see lemma PPJ]) . And we get back the fact that our interpretation is adapted 
to the connective =^. 
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3.2. On the interpretation of the universal quantification. 

A last problem for proving completeness of usual reducibility candidates for minimal de- 
duction modulo a la Church comes from the definition of V. As seen in the previous section, 
this definition leads to interpret a proposition \/x.A as the set of proof-terms which lead all 
terms t\ to the interpretation of (t2/x)A, for all terms ti- 

This prevents the interpretation defined above, based on well-typed proof-terms, from be- 
ing adapted to the connective V, since the classical V does not model precisely enough the 
V-elim rule. Indeed if ir is a proof of Vx.^4, and t±, t 2 are terms, the V-elim rule cannot help 
to deduce that irti is a proof of (t2/x)A. 

In order to synchronize those two terms in the definition of V in reducibility candidates a 
la Church, the author defined in [1] and [5] the notion of language-dependent truth values 
algebras (ldtva). Defining reducibility candidates (with (CR' 3 )) as a model valued on a ldtva 
provides a sound and complete criterion for strong normalization of non-confusing theories 
in minimal deduction modulo a la Church. 

In the next section, we define sound and complete reducibility candidates for both confusing 
and non-confusing theories in minimal deduction a la Curry. 



4. Complete reducibility candidates a la Curry 

This last section is devoted to the definition of a complete sound and complete semantics 
for strong normalization in minimal deduction modulo a la Curry. Considering Curry- 
style proof-terms allows to use the classical notion of pre-Heyting algebra. Since terms do 
not appear in proof-terms in minimal deduction modulo a la Curry, it allows to define V 
as a usual intersection. Moreover, it provides a stronger result than previous results (in 
minimal deduction modulo a la Church) since it concerns both confusing and non-confusing 
theories. And, icing on the cake, the proof of completeness of those reducibility candidates 
is considerably shorter than the one concerning minimal deduction modulo a la Church. 

The new pre-Heyting algebra of reducibility candidates we propose for minimal deduction 
a la Curry differs on two points, from the usual (only sound) one for minimal deduction a 
la Church, presented in section [2j The first point is that V now is classical set-intersection 
since we consider proof-terms a la Curry. The second point is that the domain we now 
consider is the set of proof-terms satisfying (CRi), (CR2) and the new property (CR' 3 ) (to 
ensure completeness while keeping soundness for strong normalization). 

Definition 4.1 (The algebra of complete reducibility candidates a la Curry: C). 

The domain of C is the set of non-empty sets or proof-terms which satisfy the properties 

(CRi), (CR 2 ) and (CR' 3 ). 

The set A is p(C). 

< is set inclusion. 

For all a, b G C , a^b is the set of proof-terms ir such that for all /i£a, irfi G b. 
For all A G A, \/A is the set of proof-terms tt belonging to all a G A. 

This definition provides a pre-Heyting algebra since we can easily check that for all a,b G C 
and A G p(C'), a =5* b G C and WL G C, and that V is an infinite greatest lower bound for 
set inclusion. 
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4.1. Soundness. 

In this section, we prove that the existence of a C-valued model entails strong normalization 
of theories expressed in minimal deduction modulo. In other words, replacing the usual 
(CR3) by (CR3) keeps soundness for strong normalization. Soundness (theorem I4.3[) is 
entailed, as usual, by the (right form of) adequacy lemma (lemma H~2j) . 

Lemma 4.2 (Adequacy). 

If [.]. is a C -valued model of a theory in minimal deduction modulo a la Curry, 

then for all propositions A, contexts T , environments eft, proof-terms tt and substitutions a 

such that for all declarations a : B inT , act G [-B]L, we have: 

ifT h tt : A then an G {Aj^. 

Proof. By induction on the length of the derivation of T h n : A. By case on the last rule 
used. If the last rule used is : 

• axiom: in this case, n is a variable a, and T contains a declaration a : B with A = B. 
Then aa G JBJ = {Aj^. 

• =>-intro: in this case, n is an abstraction Aa.r, and we have r, a : B h r : C with A = 
B =>■ C. Let a' such that for all variables /3 declared in T, a 1 (3 = a (3 and a' a. is an element 
of \B\ ( j ) . Then a'r € \C\$ by induction hypothesis (and a'r is in SN, therefore a(Xa.r) 
is also in SN). Let tt' € [-BJ^, we prove by induction on the sum of maximal lengths of a 
reductions sequence from a(Xa.r) and n' (each in SN) that every one-step reduct of the 
neutral not normal proof-term a(Xa.r) tt' is in [CJ^. If the one-step reduct is o"(7r / /a)r, 
we conclude by induction hypothesis (on the length of the derivation) since tt' £ [-B]L. 
Otherwise, the reduction takes place either in a(Xa.r), either in tt'. We conclude first 
by induction hypothesis on the sum of the maximal lengths of reductions sequence from 
a(Xa.r) and tt'. And second by the fact that both [B]^ and \B =>■ CJ^ satisfy (CR2). 
Finally, a(Xa.r) tt' € [C]^, since it satisfies (CR3) and a(Xa.r) tt' is neutral, not normal. 
Hence a(Xa.r) G [Sfl^C^ = \B => Cj^ = {A}^ 

• ^-elim: in this case, tt is an application pr, and we have T \- p : C = B ^> A and T h r : 
B. Therefore, by induction hypothesis, ap G [B =>■ AJ^ = [BJ^^^J^ and err G [5]^,. 
Therefore cr(pr) G [AJ^. 

• V-intro: in this case, we have T \- tt : B with A = Mx.B. Hence for all terms t, ci7r G 
[-Bl^+^.t) by induction hypothesis, since, 4> + (x,t) is an environment. And air G 
IVx.BJj, = {Alt by definition of V. 

• V-elim: in this case, we have T \- tt : \/x.B with A = (t/x)B. Hence, by induction hypoth- 
esis, air G [-Bj</,+(;E,t} = l(t/x)B} ( j > = {A}^, by the substitution property. □ 

As previously mentioned, the adequacy lemma directly entails soundness for strong normal- 
ization. 

Theorem 4.3 (Soundness). 

If a theory in minimal deduction a la Curry has a C -valued model, then it is strongly 
normalizing. 

Proof. If [.]. is a C-valued model of this theory then for all judgements r h tt : A and a and 
(j) as in the previous proposition, we have air G [yl]L hence air G SN, therefore tt G SN. □ 
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4.2. Completeness. 

In this section, we prove that the definition of C'-valued model also gives a complete criterion 
for strong normalization in minimal deduction a la Curry. Following Henkin's method 
[19j rather than Godel's one [16], we build directly a C- valued model from the strong 
normalization hypothesis of a theory. As explained in section [3l we interpret propositions 
A as the (CR3) expansion of proofs of A in a general context A. We prove (lemma [4. 7p that 
this interpretation takes its values in C when the theory is strongly normalizing (the strong 
normalization hypothesis is only needed to prove that this interpretation satisfy (CRi)). 
This interpretation constitutes a model since it is trivially adapted to the congruence, it is 
adapted to the substitution (lemma l4.1ip . and to the connectives (lemmas 14.101 and 14. 12|) . 
Finally we obtain the completeness theorem 14.131 

Definition 4.4 (The universal context A). 

We consider a context which contains an infinite number of declarations for each proposition 
of the considered theory. 

Definition 4.5 (fl, a particular set of proof-terms). 

For convenience, we write O the set of strongly normalizing, neutral, not normal proof-terms. 

In the following, when i and n are integers, pi, . . . , p n , p±, . . . ,p n are proof-terms, ax,...,a n 
are proof- variables, we shall write [pi/ui\i< n for the substitution (with capture) 
\p n /a n ] . . . \pi/ai] (we may write [pi/otj\i when n is clear from context). We shall also 
write (pi)i — > (pi)i, when for all i < n, pi — > pi. 

We define the interpretation of a proposition A and an environment (ft {i.e. a term- 
substitution in our case), as the (CR 3 )-countable iteration expansion of the set of proofs of 
<ftA. 

Definition 4.6 (Closure). 

For all propositions A and environments (ft, we define Cl{A)^ as follows : 
for all k € N, 

• Cl°(A)^ = {vr such that A h vr : <f>A} 

• Cl k+1 (A) ( p = {it such that there exists n € N, a proof-term u w and (pi)i< n Q 

such that 7r = [pi/oii\i< n u n and for all (pi)i< n 
if (pi)i -> (pi)i then [pi/aj\i< n u n £ Cl k (A),f > } 

. Cl(A)t = U j& CV{A) 4t 

Notice first that the strong normalization of the pi is not a necessary hypothesis but it 
simplifies item (CRi) of proof of lemma 14.71 (which is detailed in [5]). Notice also that 
this (CRg)-expansions iteration is monotonous for inclusion, i.e. for all propositions A, 
environments <fi and k G N, Cl k {A) ( j ) C Cl k+1 {A) l f ) . Hence for all propositions A and 
environments eft, C^A)^ is not empty since neither is Cl°(A) ( j } (it contains, in particular, all 
proof- variables declared of type (ft A in A). 

We prove now that this interpretation leads all ordered pairs of a proposition and an envi- 
ronment to elements of C when the considered theory is strongly normalizing. 

Lemma 4.7. 

If the considered theory is strongly normalizing then for all propositions A and environments 
(ft, Cl(A)$ belongs to C' . 
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Proof. Let A be a proposition and (f> be an environment. 

(CR2) Let tt 6 01(A)(1) and 7r' a proof-term such that tt — > tt'. Then there exists (a minimal) 
k E N such that tt € Cl k (A) ( j } . By induction on k. 

- If k = 0, then A h 7r : </>.A, therefore A h 7r' : <pA by subject-reduction. 

- If k > 0, then 7r = \pijct^\iV with each /Zj in $7, and such that for all (p%)% with 

— > (Pi)ii w e have [pi/ai]iV 6 C/ fc ~ 1 (A)^ ) . Since each /ij is neutral, the redex 
we reduce in pi is either in some pi or in v. Thus, 

- Either tt' = [pi /ai ]\p,i/ai]i^i v, with pi a — > pi . In this case, tt' belongs to 
Cl(A)(f) (by considering the substitution [pi/cti]i^i on the proof-term [pi Q / ai }v) . 

- Or tt' = [pi/cii]iU with v — > u'. Hence [pi/ai]iV € Cl k ~ 1 (A) ( f ) since Cl k ~ 1 (A) < j } sat- 
isfies (CR2) by induction hypothesis on k. And we conclude that tt' = [pi/dj\iV € 
Cl k (A)(,). 

(CRi) The fact that CI(A)j, only contains strongly normalizing proof-terms is not so hard 
to show but the proof (see [5]) is still quite technical and long. The proof scheme is 
globally the same as the classical standardization theorem proof by Curry and Feys 
[8]. It uses parallel reduction and defines, as in Curry and Feys proof, two kinds 
of reductions for a proof-term \pijai\iW. reductions in v versus reductions in the pi 
(Curry and Feys distinguish head reductions from other reductions in their original 
proof). Notice finally that (CRi) must be proved after (CR2) since the latter is used 
in the proof of the former. 

(CR3) Cl(A)(p satisfies (CR3) by construction, using the (CRi) property and the fact that 
the (CR 3 ) extension [m/ati]iv of a proof-term \pi/oti]iV in SN is necessarily in SN 
hence so are the pi (see [5] for a detailed proof). □ 

Let us now prove an important property that is necessary to prove that our interpretation 
is adapted to both and V. 

Lemma 4.8. 

For all propositions A, environments and tt € CI(A)j,, there exists k € N, less than 
or equal to the maximal length of a reductions sequence from tt such that tt € Cl k (A) ( f ) . 
In particular, if tt is in normal form then tt £ Cl°(A) ( j } i.e. A h tt : (pA. 

Proof. By induction on the maximal length m of a reductions sequence from tt. If m = 
then tt is in normal form so it is necessarily in CI (A)j,, since the proof-terms that belong 
to Cl k+1 (A)(f) but not to Cl k (A)(p cannot be in normal form. If m > 0, let p be some 
subterm of tt that is a redex. p is neutral, not normal and strongly normalizing (since 
tt £ SN). Let tt' be a proof-term obtained by reducing a redex of tt that is also a redex 
of p, and p be the proof-term obtained by reducing that same redex in p. Let us write v 
the proof-term obtained by replacing the redex p by the proof-variable a in tt. We have 
tt = \pja\v — > [p/a\u = tt' . The maximal length of a reductions sequence from tt' is less 
than or equal to m — 1, then there exists, by induction hypothesis, k < m — 1 such that 
tt' = \p/a]u G Cl k (A)^. Thus tt € Cl k+1 (A)^ with k + 1 < m. □ 

In the following, we prove that Cl(.). forms an interpretation that is adapted to the con- 
nective =^. We first prove a useful lemma (as explained in section [3TT]) . 
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Lemma 4.9. 

For all propositions A, B and environments <j), proof-terms tt and proof-variables a, (3 such 
that a does not occur free in tt, 

if A h a : <f>A and (a/p)ir G CZ(5)^ then Xf3.Tr G Cl(A B)^. 

Proof. There exists a minimal k such that (a/f3)ir G Cl k (B) ( f > . By induction on /c. 

• if k = 0, then A h (a/f3)ir : </>i?, hence A h A/3.7T : <fj(A =4> 5) and we conclude that 
Xf3.Tr 6 C7°(,4 

• if fe > 0, then (a/f3)ir = [pi/oti]^ with each pi G ft and such that for all (pi)i with 

(pi)i, we have [pi/a^jf G Cl k ~ l (B) 4l . (H) 
Let us write v' = (f5/a)v and /!■ = (f3/a)pi for each i. 

We have tt = (f3/a)(a/ f3)ir = ((3 / ' a)([p,i / a^v) = [((3 / 'a) m / 'ai]i((/3 / 'a)v) = \p!Jai\iu' since 
a is not free in tt. 

Hence Xf3.Tr = A/3.([/^/a,]ji/) = [/^/aj]i(A/3.z/) ([./.] is substitution with capture). 
We can notice that the p! i belong to Q since the pi do. 
Let (pj)i such that p! i — > p\ for each i. 

Notice that we have (a/f3)u' = (a/ f3)(f3 /a)u = v and (a//3)p- = (a/ [3)([3 / a)pi = pn for 
each i, since f3 is not free in [a/ (3)tt = [pi/a^ii*. 

Hence for each i, m = (a//3)/^ — > [aj f3)p' i , thus [(a/ (3)^/ ' a^v € Cl k ~ x {B)^ by (H). 
Since v = (a/ f3)v' , we have (a/ f3)([p'i/ 'ct^ii/') G Cl k ~ 1 (B) ( f ) thus A/3.([X/aj]jz/) belongs to 
C7(^4 B)^ by induction hypothesis. 

Finally, [p' i /ai]i(X[3.v') € C7(j4 =>- i?)^, for all (pi)i family of respective reducts of the pi. 
Hence Xf3.Tr = 'ai]i(Xf3.u') G C7(A => 5)^ since that set satisfies (CR 3 ). □ 

Lemma 4.10. 

For all propositions A,B and environments (f>, Cl(A B)^ = Cl(A) ( f ) ^Cl(B) ( j ) . 
Proof. 

C Let tt G C/(A B)<p, 

then 7r € SN by (CRi). Moreover there exists (a minimal) k G N, such that 7r £ Cl k (A =^ -B)^. 
Let 7r' G 67(^4)^, then there exists (a minimal) j G N, such that tt' G CP(t4)^. Let us 
show that tttt' G Cl(B)^ by induction on k + j. 

— If fe + j = 0, then A h 7r : <^(^4 5) and A h V : ^4 hence A h 7r7r' : <j)B and 
vr^' G Cf{B)^. 

— If > 0, then there exists 1^, and (pi)i< n ^ ^, such that 7r = [pi/ai]i z^r and 
for all (pi)i with (pi)i — > (pi)i, we have [pi/ai]i G C7 fc-1 (A =4> £>)</,. Therefore 
[/Oi/ai]i (^tt Ti"') = [pi/"i]i tt' € Cl{B)$ by induction hypothesis. Hence 7r7r' G 
Cl(B)§ since it satisfies (CR3). 

— If j > 0, then there exists iV) an d (p-i)i< n ^ such that 7r' = \pija^\i and for all 
(pi)i, with (jUj)j -)■ (^4)4, we have [pi/a^i v n < G CP~ 1 (A) 4l . 

Therefore [pi/cti]i (tt v^) = [pi/cti]i tt G Cl(B)$ by induction hypothesis. Hence 
tttt' G C/(i?)^ since it satisfies (CR' 3 ). 

D Let 7r G CZ(A)^^C/(B)0, then 7r G SN and for all tt' G Cl(A)$, tttt' G CZ(B)^. 

— If tt is a proof-abstraction Xf5.Tr', let a be a proof-variable, not free in tt' , such that 
Aha: <j)A, then (A/3.7r')a G CliB)^ and so does (a//3)7r', by (CR 2 ). Therefore 7r 
belongs to C7(,4 B)^ by lemma I4T91 
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— If 7r is neutral and normal, let a be a proof-variable such that Aha: 4>A, then 
ttol £ Cl{B)$. Moreover tt is neutral and normal, therefore tree is normal, hence, 
by lemma SSI vra £ Cf(B) <t> , i.e. A h ttol : (f>B, and A h 7r : 0(^4 =>• B), thus 

— Otherwise, 7r € SW, is neutral and not normal. All its neutral normal and not neutral 
(more than one-step-) reducts belong to C '1(A) <£=^C '1(B) $ by (CR2) and therefore to 
Cl(A => B)^ by the previous points. By repeatedly using the (CR 3 ) property, we 
conclude that tt also belongs to Cl(A => B)$. □ 

Now that we have proved that C7(.). has its values in C (when the considered theory is 
strongly normalizing) and that it is adapted to the connective =>, the last properties needed 
to prove that C7(.). is a model are first the substitution property and second, the fact that 
it is also adapted to the connective V. This latter property becomes simpler to prove when 
considering theories expressed in minimal deduction modulo a la Curry since V is now 
classical set-inclusion. 

Lemma 4.11 (Substitution). 

For all propositions A term-variables x, terms t and environments <f>, 
Cl((t/x)A) (f> = Cl(A)^ t) . 

Proof, tt € Cl°((t/x)A) (j) if and only if A h vr : <f>(t/x)A = (t/x)cpA = (<f> + (x,t))A 

if and only if tt £ Cl°(A)^ )+ ^ x ^ (notice that term-substitutions commute). 

Hence Cf((t/x)A) (j) = Cl (A)^ t) and Cl({t/x)A) (j) = Cl(A) n{ , X:t) . □ 

Lemma 4.12. 

For all propositions A term-variables x and environments (ft, 
Cl^x.A)^ = V {Cl(A),p +{X)t) , for t term}. 

Proof. 

C Let tt £ Clftx.A)^, then there exists (a minimal) k £ N such that tt £ C^^x.A)^. By 
induction on k. 

- If k = 0, A h tt : <p(yx.A), hence for all terms t, A h tt : (t/x)cj)(A) and tt £ 
Cl°(A)^ +{X)t) bylemmaSUl 

- If k > 0, then tt = [fj,i/a>i]iV, with (pi)i C O and such that for all (pi)i with (fii)i — > 
(pi)i, we have \pijaj\iV £ Cl k ~ 1 (ix.A),p C V {CZ(^4)^ + ^^, for i term}, by induction 
hypothesis. Since all the Cl(A)^ + i x ^ t \ satisfy (CR' 3 ), tt also belongs to each of those 

Cl(A)^ + ( x jy 

5 As seen in lemma 14.81 if ^ belongs to some Cl(B)^ then there exists some k, less or 
equal than the maximal length of reductions from tt, such that tt £ Cl k (B)^. Hence, in 
our case, if tt € V {Cl(A)^ + ^ x ^, for t term}, then there exists k such that for all terms 
t, tt £ Cl k (A) l p + ^ x t y We reason by induction on k. If k = 0, we have, in particular 
tt £ Cl°(A) c j >+ / XtX \, i.e. A h tt : 4>A hence A h 7r : (j)(\/x.A) (of course we can suppose that 
x is not bound in <f>). If k > 0, then we conclude by the fact that Cliy/x.A)^ satisfies 
(CR3), as usual. □ 
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We finally get the completeness result: 
Theorem 4.13 (Completeness). 

If a theory is strongly normalizing in minimal deduction modulo a la Curry, then Cl{.), is 
a C -valued model of that theory. 

Proof. By lemmas and □ 

Notice that the strong normalization hypothesis is only used once in the proof of com- 
pleteness, when proving that the interpretation of a proposition and an environment only 
contains strongly normalizing proof-terms. 

4.3. Semantic characterization of strong normalization. 

From Theorems 14.31 and 14.131 we prove that the existence of a C'-valued model is a sound 
and complete semantic criterion for strong normalization of theories expressed in minimal 
deduction modulo. 

Theorem 4.14. 

A theory is strongly normalizing in minimal deduction modulo a la Curry if and only if 
there exists a C'-valued model of that theory. 

Remind that we obtain this result for both confusing and non-confusing theories unlike 
what we obtained in [1] and [5] for minimal deduction modulo a la Church. 

Moreover, for a theory, strong normalization in Curry style entails strong normalization in 
Church style [7] , hence this CWn/-criterion is also a sound criterion for strong normalization 
of Church-style proof-terms. The existence of a (Curry) C'-valued model entails strong 
normalization of both Curry-style and Church-style proof-terms of the considered theory. 

We also conjecture that strong normalization in Church style and in Curry style are equiv- 
alent, in which case, the criterion provided in this paper would also be complete for strong 
normalization in minimal deduction a la Church. 



Perspectives 

In this paper, we provide a sound and complete semantic criterion for strong normalization 
of theories expressed in minimal deduction a la Curry. To obtain that semantic criterion, 
we use the extension (CR3) of the usual (CR3) property of reducibility candidates, that was 
introduced in [U [5] to provide a sound and complete criterion for strong normalization in 
minimal deduction a la Church. Considering proof-terms a la Curry, instead of a la Church, 
greatly simplifies both the definition of that criterion and the proof of its completeness, since 
it allows to use the classical notion of pre-Heyting algebras and to define the interpretation 
of the universal quantification as usual intersection. 

This sound and complete semantic criterion for strong normalization brings up a second link 
between proof-theory and model-theory. Godel-Tarski first link allowed to prove fundamen- 
tal theorems about consistency of first order theories. As mentioned in the introduction, it 
allowed to prove the independence of the axiom of choice from Zermelo-Fraenkel set theory, 
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using model-theory techniques, like Fraenkel-Mostowski permutation and Cohen's forcing, 
to entail from ZF consistency, both ZFC and ZF-iC consistencies. This Godel-Tarski link 
also allowed to prove the independence of the continuum hypothesis from ZFC \17\ [2]. via 
the same method. 

The ambitious goal I propose to pursue is to use the semantic criterion for strong normaliza- 
tion defined in this paper, and reproduce Godel-Cohen method for obtaining independence 
(for strong normalization) of the axiom of choice from ZF. This implies different steps: first 
extend Dowek-Miquel embedding of Zermelo set theory in deduction modulo in order to 
embed the whole Zermelo-Fraenkel set theory. Second, extend our semantic criterion for 
strong normalization to the whole deduction modulo (using also Curry-style proof-terms 
for existential quantification). And finally build, from a C model of ZF, two other models 
of ZF, one that is compatible with the axiom of choice and one that is not. We could, for 
that purpose, add to the language Hilbert's operator of choice e. Then we may try to adapt 
Fraenkel-Mostowski's permutation method in order to build a C'-model of ZF in which all 
interpretations of a formula of the form 3x.A are equal to the interpretation of (e(A)/x)A. 
And finally, we may try to adapt Cohen's forcing method in order to build another C'-model 
of ZF in which the previous property is not satisfied. 

Finally, this paper can also have practical spin-offs concerning proof assistants and proof 
checkers. Dedukti [9] is a universal proof-checker that can check now proofs produced by 
the proof-assistants Coq [3] and HOL-Light [20]. Dedukti is based on the formalism of AIT- 
calculus modulo [6], the extension of deduction modulo with dependent types. Dedukti's 
checking relies on computation and therefore on strong normalization of the theory that 
expresses the logical formalism of some proof assistant. The present paper gives techniques 
to prove relative normalizations of theories that represent proof assistants. For example 
we could prove that the union of theories representing Coq and HOL-Light is strongly 
normalizing, given the fact that one of them is strongly normalizing. That would allow to 
check simultaneously proofs coming from both proof assistants and ensure that way that 
the associated developments in each proof assistant can be somehow combined. 
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